I’ve been using Copperhead since pretty much day 1 of their public release. I know some of the people here are like me and see the “Secure OS” bullshit and generally roll your eyes and move on. But the Copperhead guys mean it, check out some of their blog posts:
strcat has been doing a pretty incredible job and is an incredibly smart person who I think should get some love. If you think “hey that is in mainline now!” that is probably because he submitted it to main line and you can thank him for it.
I know this might defeat the purpose but is it possible to use Copperhead and still have access to Google services like the Play Store?
Would love for my phone to be more secure but I gotta play my Hearthstone
Yes. You can install GApps and the Google Play Store. Apparently this is pretty common with people who use things built on AOSP.
I’m considering adding microG GmsCore to substitute for GApps and sideload some apps that depend on location services and things, but there’s a whole involved rooting setup that I haven’t had the spare attention for. Android is only 8 years old and seems to have an incredible amount of tech debt.
The team has made it pretty clear that they do not want to support Gapps, it breaks their security model and it poses some legality questions. You “can” install Gapps, but pretty much every update is going to break it and you will have to do a clean flash. So it’s not optimal.
That aside, I have been using my old phone to download the apps I need but aren’t on fdroid, then I just
adb pull storage/$APP/base.apk
and install it to my Copperhead phone. Just be careful about apps that use GCM (looking at you signal)
What does success look like for CopperheadOS? Is it being more secure than Android? The most secure smartphone platform? Responding to vulnerability reports faster than other mobile platforms? Harder to find vulnerabilities in than any other mobile platform?
I don’t know if you can bolt security principles on after the fact and end up in a better place than e.g. iOS, which has been aggressively security-focused from the start.
I find it tough to imagine how a small team using the same foundational technologies as commodity consumer computing is going to achieve a breakthrough in trustworthiness or reliability.
For now, it seems to be “addressing lots of low-hanging fruit”, but you make a good point.
Nice to see they imported OpenBSD’s malloc.
Odd, I had thought stock Android was already using it, but I guess not?
It used dlmalloc until Lollipop when it started using jemalloc (source). Bionic does use a lot of OpenBSD’s libc however (but not the malloc).
Oh that’s great lol. Especially how their security team was worried about including something the OpenBSD team already vetted. At least they’re smart enough to copy good code in a key area.
I believe it’s currently using jemalloc (to go faster!).
I wasnt aware of the us open source funding initiative, has it been doing much that matters? And is it really possible to believe they’ll give funding to a private company or is that incongruent with their policies?